password lookup argument parsing fix (#78080)

fixes #78079
2 years ago · cea18bf60a
parent cf9fd2d7da
commit cea18bf60a
3 changed files with 57 additions and 8 deletions
--- a/changelogs/fragments/password_lookup_fix.yml
+++ b/changelogs/fragments/password_lookup_fix.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - password lookup does not ignore k=v arguments anymore.
--- a/lib/ansible/plugins/lookup/password.py
+++ b/lib/ansible/plugins/lookup/password.py
@ -124,7 +124,6 @@ _raw:
 import os
 import string
 import time
-import shutil
 import hashlib

 from ansible.errors import AnsibleError, AnsibleAssertionError
@ -139,12 +138,15 @@ DEFAULT_LENGTH = 20
 VALID_PARAMS = frozenset(('length', 'encrypt', 'chars', 'ident', 'seed'))


-def _parse_parameters(term):
+def _parse_parameters(term, kwargs=None):
    """Hacky parsing of params

    See https://github.com/ansible/ansible-modules-core/issues/1968#issuecomment-136842156
    and the first_found lookup For how we want to fix this later
    """
+    if kwargs is None:
+        kwargs = {}
+
    first_split = term.split(' ', 1)
    if len(first_split) <= 1:
        # Only a single argument given, therefore it's a path
@ -172,12 +174,12 @@ def _parse_parameters(term):
        raise AnsibleError('Unrecognized parameter(s) given to password lookup: %s' % ', '.join(invalid_params))

    # Set defaults
-    params['length'] = int(params.get('length', DEFAULT_LENGTH))
-    params['encrypt'] = params.get('encrypt', None)
-    params['ident'] = params.get('ident', None)
-    params['seed'] = params.get('seed', None)
+    params['length'] = int(params.get('length', kwargs.get('length', DEFAULT_LENGTH)))
+    params['encrypt'] = params.get('encrypt', kwargs.get('encrypt', None))
+    params['ident'] = params.get('ident', kwargs.get('ident', None))
+    params['seed'] = params.get('seed', kwargs.get('seed', None))

-    params['chars'] = params.get('chars', None)
+    params['chars'] = params.get('chars', kwargs.get('chars', None))
    if params['chars']:
        tmp_chars = []
        if u',,' in params['chars']:
@ -338,7 +340,7 @@ class LookupModule(LookupBase):
        ret = []

        for term in terms:
-            relpath, params = _parse_parameters(term)
+            relpath, params = _parse_parameters(term, kwargs)
            path = self._loader.path_dwim(relpath)
            b_path = to_bytes(path, errors='surrogate_or_strict')
            chars = _gen_candidate_chars(params['chars'])
--- a/test/integration/targets/lookup_password/tasks/main.yml
+++ b/test/integration/targets/lookup_password/tasks/main.yml
@ -102,3 +102,48 @@
  assert:
    that:
        - "newpass != newpass2"
+
+- name: test both types of args and that seed guarantees same results
+  vars:
+    pns: "{{passwords_noseed['results']}}"
+    inl: "{{passwords_inline['results']}}"
+    kv: "{{passwords['results']}}"
+    l: [1, 2, 3]
+  block:
+  - name: generate passwords w/o seed
+    debug:
+      msg: '{{ lookup("password", "/dev/null")}}'
+    loop: "{{ l }}"
+    register: passwords_noseed
+
+  - name: verify they are all different, this is not guaranteed, but statisically almost impossible
+    assert:
+      that:
+        - pns[0]['msg'] != pns[1]['msg']
+        - pns[0]['msg'] != pns[2]['msg']
+        - pns[1]['msg'] != pns[2]['msg']
+
+  - name: generate passwords, with seed inline
+    debug:
+      msg: '{{ lookup("password", "/dev/null seed=foo")}}'
+    loop: "{{ l }}"
+    register: passwords_inline
+
+  - name: verify they are all the same
+    assert:
+      that:
+        - inl[0]['msg'] == inl[1]['msg']
+        - inl[0]['msg'] == inl[2]['msg']
+
+  - name: generate passwords, with seed k=v
+    debug:
+      msg: '{{ lookup("password", "/dev/null", seed="foo")}}'
+    loop: "{{ l }}"
+    register: passwords
+
+  - name: verify they are all the same
+    assert:
+      that:
+        - kv[0]['msg'] == kv[1]['msg']
+        - kv[0]['msg'] == kv[2]['msg']
+        - kv[0]['msg'] == inl[0]['msg']